Wireless Access

Reply
Occasional Contributor II

Connecting Cisco WLC to CPPM

Can anyone point me in the direction of a definitive guide on how to connect a Cisco Wireless Controller to CPPM so I can test a wireless SSID using CPPM for authentication?  I have the controller pointing to CPPM (aaa radius server ip, port, secret key) but dont' see anyting in the CPPM logs that indicate an attempt is being made.

 

I've seen various docs showing how to do this for older 44xx models but nothing for 5000 series so that may have something to do with it.  Mainly I'm looking for evidence the two are communicating with one another and telling me why the setup isn't work.  Any help appreciated.  CPPM 6.7.10 and joined to AD domain. Cisco WLC 5508.  Routing enabled.

MVP Guru

Re: Connecting Cisco WLC to CPPM

See here:
https://community.arubanetworks.com/t5/Education-Australia-New-Zealand/Aruba-ClearPass-with-Cisco-WLC-802-1X-Role-Based-Access/gpm-p/455879

Take a look at the event viewer in ClearPass to see if there’s any errors



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Occasional Contributor I

Re: Connecting Cisco WLC to CPPM

Hi s1nsp4wn,

 

WLC Interfaces

The cisco controller has many interfaces depending on how many VLAN's you segment users on. (IE: Management and Dynamic interfaces) those can be overriden depending on how you set it up the WLANs or/and use AP groups. CPPM needs to know of those interfaces that users will be requesting authentication from. (Management interface shouldn't be one unless your using CPPM to authenticate management login user)

  • WLAN - interface assignment. (Default interface for WLAN users)
  • AP Groups - Interfaces assigned here, overrides the WLAN interface assignment

WLC - AAA

Under the Security Tab - AAA - RADIUS. Add your CPPM as a Radius Authenticator and Accounting. NOTE: if your not using CPPM to authenticate Management Login to WLC, uncheck the "management" option box. (NOTE: make sure you match the Shared Secret on both WLC and CPPM) - or nothing will talk.

 

WLC - WLAN setup

1. under the WLAN Setup. You have options for RADIUS server Overwrite interface. - if checked, you can pick which interfaces that will be the authenticating interface. you can choose WLAN (Interface set in the WLAN default) or AP Group. (if you use AP Groups, those interfaces will the authentication interfaces and need to be "devices" in CPPM)

Then, choose your CPPM from the pull down under Authentication servers and Accounting Servers. I use "AP Groups" so that is my choice here for Interfaces I want sending authenticaitons.

I like to remove Local and LDAP out of the "Order Used for Auth" section as well.

2. Under the WLAN Advanced Tab - Check Allow AAA Override.

 

CPPM

You need to add all interfaces listed in the WLC side that user authentication requests will be generated. this will be under Configuration - Network - Devices. 

If the Controller is sending requests from unknown interfaces in CPPM, check your CPPM Event viewer and you'll have see errors from that interface an unknown device. 

Devices for Cisco WLC.PNG

I hope that helps.

 

 

Occasional Contributor II

Re: Connecting Cisco WLC to CPPM

1. I see nothing in the event viewer which I'm guessing means the controller isn't talking to CPPM
2. Is a layer 3 interface necessary on the controller? Can I not just use an SSID?
3. I don't have the option for "Support for RFC 3576" in my Radius servers

Occasional Contributor I

Re: Connecting Cisco WLC to CPPM

Hi,

 

Essentially, CPPM needs to know of a "device" (WLC L3 Interface IP address) you created on controller and your telling CPPM to except EAP and CHAP protocol requests from that WLC IP. this communication is secured with the Shared Secret.

 

Use Case I

If you have just 1 interface (management interface) and you assigned that in the WLAN, then your using the Management interface range for the users as well as the controller portal management. (which isn't best practice.) if this is true, then the management IP address of your WLC is the IP Address device sending authentication requests to CPPM.  

 

Use Case II

If you kept the management interface segmented and you have other L3 interfaces (Dynamic interfaces with VLAN assignements) and you are assigning those interfaces to the WLAN for users, Whatever is listed there is the interface that needs to talk to CPPM and created in CPPM as a Device.

 

Make sense?

 

WLC Interfaces.PNGWLAN Interface.PNG

Occasional Contributor II

Re: Connecting Cisco WLC to CPPM

Yes makes sense.  An interesthing thing happened. Never saw this in the event viewer but came back the next day and guest self-registration started working.  Left for the day day again and CPPM appears to be unable to keep an connection to the AD.  Also now I get an invalid usn/psw when I try searching Base DN under Authentication > Sources.

Occasional Contributor II

Re: Connecting Cisco WLC to CPPM

Thanks.  Will anything further be needed for testing?  I've seen mention of enforcement policies etc. but can't seem to join the SSID.

Re: Connecting Cisco WLC to CPPM

Enforcement profile determines what is returned by ClearPass to the WLC. Access Tracker (on CPPM) will show you if ClearPass is responsing Accept or Reject, and what attributes are included if an Accept is sent. The enforcement profile determines what gets sent.


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Connecting Cisco WLC to CPPM

When I attempt to join the domain after integrating with the controller, I get the message below and don't know how to fix:

WARN RadiusServer.Radius - servername.com: Password Attribute "userPassword" not available.

Occasional Contributor II

Re: Connecting Cisco WLC to CPPM

Thanks.  When I try joining the ssid I get an error "WARN RadiusServer.Radius - domainname.com: Password Attribute "userPassword" not available" and am not sure where to go from here.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: